From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
	id 722C1385781A; Thu, 16 Mar 2023 14:30:54 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 722C1385781A
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org;
	s=default; t=1678977054;
	bh=EFThMIxVcVGyskepS7thxXr+uUtWf9fuYjLTdM+vvz8=;
	h=From:To:Subject:Date:In-Reply-To:References:From;
	b=Wbd9Qn6Fxp8LApTzT/QaJO/LWH8WZdMI9dUGIEAPPgOexN6kkaqQ96e2dxkhfq+d+
	 H3owtZBGvGewTzwZ5Yg6r/V2RlFcMFCd4Zth/oce1EKN5zW3yguA2J6pjrn8WIiuQL
	 iZP4e5dMPtLPofTQA8hm8gin9lJg0Ob9FJ/6t+GA=
From: "marxin at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug sanitizer/108541] ASAN since GCC 9 missed a
 stack-buffer-overflow since r9-4503-g6e644a50045f8032
Date: Thu, 16 Mar 2023 14:30:53 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: sanitizer
X-Bugzilla-Version: 13.0
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: marxin at gcc dot gnu.org
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Resolution: WONTFIX
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: marxin at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_status resolution
Message-ID: <bug-108541-4-E12yTPzxrE@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-108541-4@http.gcc.gnu.org/bugzilla/>
References: <bug-108541-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
List-Id: <gcc-bugs.sourceware.org>

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D108541

Martin Li=C5=A1ka <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |WONTFIX

--- Comment #2 from Martin Li=C5=A1ka <marxin at gcc dot gnu.org> ---
Ok, I've got a reduced test-case:

cat pr108541.c
struct S {
  // WORKS: char padding[48];
  char padding[49];
};

struct S h, *i;

int main() {
  int *dummy;
  &dummy;

  int m =3D 1;
  char *ptr =3D (char *)&m;
  *(struct S *)(char *)(ptr - 0) =3D h;
  return 0;
}

so the shadow memory looks like this:
0x7ffff5300000: f1 f1 f1 f1 f1 f1 04 f2 00 f3 f3 f3

    [48, 52) 'm' (line 12)
    [64, 72) 'dummy' (line 9)

what happens here: during the expansion of   .ASAN_CHECK (5, ptr_5, 49, 1);


we check for the memory area beginning (that's fine), and than the ending,
which is out of the poisoned memory. It's unfortunate that the middle area =
of
the 49B contains a poisoned memory.
Closing as won't fix, we can't check every single byte of shadow memory, th=
at
would be very slow.=